I currently have a SSL certificate which is registered for https://www.domain.com. I didn't register https://domain.com and I don't have money to do that.
Since the SSL exchange is done before the actual site is loaded, I can't simple put a redirect in .htacess without the client getting a SSL-warning. Is there anyway I can make sure that all https://domain.com are redirected to https://www.domain.com before the SSL exchange? Maybe something directly on the Apache server or something in the DNS?
Best Answer
Host name verification is a client-side mechanism (as described in the HTTPS specification, RFC 2818, Section 3.1). The client will check that the certificate is valid for the host name it has requested before any HTTP traffic happens (in particular, before any redirection). Apache redirections or DNS changes won't be of any use.
You simply need the web server to present a certificate that is valid for the requested host name.
Some certificates can be valid for multiple host names, by having multiple Subject Alternative Name (SAN) DNS entries, e.g.
domain.com
andwww.domain.com
. Some CAs do this by default, some do it for an extra fee.(Wildcard certificates can also be used to handle multiple host names provided they follow the right pattern such as
*.domain.com
. Unfortunately,domain.com
isn't matched by*.domain.com
because the dot is part of the pattern. Some wildcard certs will have both a SAN fordomain.com
and*.domain.com
, in which case it's the SAN mechanism that will be used fordomain.com
, nothing to do with the wildcard.)You could also use Server Name Indication (SNI) and have an additional, different certificate on that host for
domain.com
(next to the one forwww.domain.com
). Unfortunately, it's not supported by certain clients (possibly old, but they still exist), and it would certainly be pointless, since most CAs issuing a cert fordomain.com
would certainly includewww.domain.com
automatically in another SAN anyway.Either way, if you want to be able to serve
https://domain.com
at all (even if it's just for a redirection), you'll have to get a new certificate valid for it (at least).